While an increasingly number of regulations have made the reporting of data breaches mandatory, a majority of IT professionals in the United States say they have been told to keep quiet about an incident, potentially running afoul of legal requirements.
In a survey released last week, 42% of the more than 400 IT and security professionals surveyed — and 71% of those in the United States — maintain that they have been instructed to keep a data breach confidential when they knew the incident should be reported. Three in 10 of those surveyed have acquiesced and not reported the breach, according to the "2023 Cybersecurity Assessment Report," published by cybersecurity firm Bitdefender.
The pressure to keep silent on a potential breach of data not only puts companies at risk of fines and penalties but could place workers at risk as well. In reality, the decision to disclose a breach or not should rest with the executive teams, says Martin Zugec, technical solutions director at Bitdefender.
"If I'm an IT administrator, and maybe security is not even my full-time job, it's really hard for me to say if we do have the requirement to disclose or not," he says. "So the responsibility for security should start with executives, with the leadership of the company, and they should be involved in the decision to disclose."
The impetus to not report a breach is certainly not new. In 2018, for example, a similar survey found that 84% of cybersecurity professionals expected timely notification of a breach, but only 37% of the same group put an emphasis on the expeditious notification of a breach to their customers. In perhaps the most notorious example, a jury found Joe Sullivan, the former CSO of Uber, guilty of obstruction of justice and a related charge last year for his cover-up of a data breach in 2016.
Regulatory Chaos Leads to Problems in United States
While an increasing number of regulations require that companies disclose, those regulations are unfortunately not consistent. That's especially true in the United States, where a large company will find itself having to comply with 50 jurisdictions, federal regulations, and industry-specific regulations, says Bryan Cunningham, former deputy legal adviser to Condoleezza Rice when she was national security adviser, and now an adviser with Theon Technology. To boot, many companies have customers in Europe, which places them under requirements of the GDPR.
"There are sometimes instances of data handling where it's literally impossible to comply with the European Union laws and US laws at the same time," he says. "So the internal people at these companies are torn in a bunch of different directions."
The European Union's integrated approach to data security creates a consistent blanket of requirements compared with the United States and its hodgepodge of state, federal, and industry regulations regarding privacy and data protection — which perhaps leads to better disclosure stats.
Three-quarters of respondents in the US (75%) experienced a data breach in the last 12 months, while 51% of respondents in the United Kingdom, 49% in Germany, and even fewer in Italy, Spain, and France experienced a data breach. Yet, compared with the 71% of respondents in the United States who were instructed to keep a breach quiet, just 44% of respondents in the United Kingdom said the same, 37% in Italy, and less than 35% in Germany, Spain, and France, according to the "2023 Cybersecurity Assessment Report."
"We need to make it much clearer who's supposed to do what and when, which is why I believe that initiatives like the GDPR are making us, as a whole society, much safer," Zugec says. "The model of individual responsibility that we have it set up today [in the US], we are running into its limits."
Penalties Depend on Jurisdiction, Details
The penalty for failing to report a data breach varies widely by the jurisdiction and the specifics of the case, says Kevin Tunison, data protection officer for Egress, an email security provider. In the case of Uber's security chief, Sullivan, the company paid hackers $100,000 through a bug bounty program to keep quiet about the breach, and the CEO approved of the action.
"There must be disagreement in a healthy culture to debate whether an incident is reportable — if everyone agreed, there would be no need for data protection legislation," Tunison says. "Lastly and most importantly, human error is no longer an excuse a business can fall back on. It is the responsibility of every organization to take reasonable and cost-effective steps to avoid the avoidable."
In the US, the criminal code, Title 18, has a variety of potential charges that could be leveled against a person who hindered a data breach investigation, including by not reporting the original incident as required. In the EU, of the 27 countries signed onto the GDPR, 10 have prison terms as a potential penalty for criminal liability.
"Depending on the jurisdiction(s) the company operates in, the risks can be as significant as life in prison," Tunison says.
The good news is that companies appear to be changing directions, especially in the wake of the Sullivan case. While small and midsize enterprises may not have received the memo because they typically are not the target of enforcement actions and lawsuits, the largest firms around the world are starting to work with governments and asking for more homogenous regulations, says Theon Technologies' Cunningham.
"I think there is a pretty significant cultural shift among certainly publicly traded companies and regularly regulated companies, that the days of being able to bury this stuff are over," he says. "Even the wisdom of doing that has been completely reevaluated."